What can we expect from Europe in terms of cyber regulations?
Publié le 08/2/2022
Author : Arnaud Dufournet, Chief Marketing Officer
As we start off this year in which France has taken over the presidency of the Council of the European Union, it is worth looking at the repercussions of the upcoming European regulations on cybersecurity. Especially in light of the fact that France has made it clear that “strengthening cybersecurity is a priority for its presidency”. Over the next six months, the presidency will work to drive forward negotiations on the revision of the Network and Information System Security Directive (NIS Directive). Regulating the digital space is another main priority, as Thierry Breton has pinned his hopes on seeing both the Digital Service Act (DSA) and the Digital Market Act (DMA) pass.
Faced with the stark reality of losing sovereignty mainly to the GAFAM, Europe appears to have decided to react and now shows a desire for “strategic autonomy”. The first sign of this reaction is a recovery plan drawn up by Brussels last year, 20% of which is devoted to the digital transition and, more specifically, to investment in sovereign technologies. The other lever is regulation, with a desire to reduce the level of dependence on U.S. cloud services.
NIS Directive: the foundations of a European cyber shield
Let us return more specifically to the area of cybersecurity and the NIS Directive, as the outlines of its second version have just been adopted by the Commission.
EU Member States adopted Directive 2016/1148 on the security of network and information systems on 6 July 2016. Drawing heavily on the Military Programming Act (Loi de Programmation Militaire) introduced in France in 2013, it aims to make Europe more resilient by developing protective measures and collaboration in the face of cyber threats. To achieve this, it lays down minimum cybersecurity requirements for businesses and organizations that provide so-called essential services, i.e. services whose interruption would have a significant impact on the economy or society.
Referred to as Operators of Essential Services (OSEs), these entities belong to seven business sectors set out in the Directive: finance/insurance, energy, transport/logistics, health, drinking water, and digital infrastructure and services. For the latter, the Directive introduces the concept of Digital Service Providers (DSPs).
As a whole, the Directive imposes three types of obligations on OESs and DSPs:
- Identify risks that threaten the security of networks and information systems (ISs)
- Take appropriate technical and operational measures to protect against these risks
- Inform the competent national authority (ANSSI in France) or a Computer security incident response team (CSIRT) about the incidents suffered and their implications
More than half of the Member States added several additional sectors and sub-sectors to cover activities they consider sensitive for their nation. Spain and Germany, for instance, added the retail and distribution sectors. France, in turn, added education and social activities to the list of essential activities. It also included the distribution of medicines in the Health sector, when it transposed the directive into the law of 26 February 2018.
Here comes NIS 2 and a string of new OESs
Reviewing legislative texts is a standard process for the European Commission. The review of the NIS Directive had been planned for 9 May 2021 at the latest. The work and consultations conducted in 2020 have shown greater resilience capacity. They also highlighted areas for progress, such as the varying levels of protection among Member States. Technological advancements, digitization of business processes, and interconnections that increase interdependencies also call for the initial scope of the Directive to be reconsidered.
As part of its “Cybersecurity Strategy for the Digital Decade”, the European Commission presented its proposal for a revised directive last 10 December. The aim of this proposal is to mitigate inconsistencies in protection across Member States, to increase the level of cooperation, and to control and further strengthen the obligations of the organizations concerned.
One of its immediate consequences will be an increase in the number of sectors affected by the Directive. The Commission also considers that the concept of DSP is no longer appropriate. Out go the DSPs, the new proposal now refers to “important entities”. As a consequence, their number will grow since additional providers of digital infrastructures and services will be included, e.g. Internet Exchange Point providers, DNS service providers, top-level domain name registries, cloud computing service providers, data centers, content delivery network providers, trusted service providers, and providers of public electronic communications networks.
New sectors are also covered, such as postal and courier services, waste management, food production, manufacturing, and public administration. There are still some gray areas regarding these added sectors, such as the manufacturing sector, as reported by the French digital industry association Syntec Numérique (position paper only available in French). This sector appears to be very broad in the proposal. It includes all organizations that manufacture electrical equipment, computer, electronic, and optical products, machinery, motor vehicles, and other transport equipment, as well as medical devices!
Lastly, the size of the entities belonging to sectors designated as OESs will be taken into consideration as a criterion. The concept of a “cap” should be introduced to limit the impact to large and medium-sized organizations. Micro and small businesses thus remain outside the scope.
More cooperation and stricter obligations
Binding obligations include the obligation to report incidents to the competent authorities within 24 hours. The Commission is also introducing the somewhat vague concept of “near miss” (Article 20), which would have to be notified in the same way as significant incidents. Syntec rightly fears an “overload of notifications”.
Another noteworthy aspect of the proposal concerns the security of supply chains and supplier relations. New requirements for service providers falling under essential or important entities are therefore to be anticipated.
Supervisory authorities will have expanded powers, including the possibility to conduct regular audits on risk assessment. As for the proposed penalties, they can go up to 2% of the total worldwide turnover in case of non-compliance (Article 31). Infringements and non-conformities would be made public.
On cooperation, the proposal encourages information sharing by creating a framework for coordinated disclosure of vulnerabilities and calls on Member States to designate CSIRTs. Formally established in September 2020, the Cyber Crisis Liaison Organization Network (CyCLONe) is tasked with coordinating the management of large-scale cyber incidents or crises and ensuring the exchange of information between all stakeholders. The European Union Agency for Cybersecurity (ENISA) will be responsible for maintaining a European vulnerability registry for discovered vulnerabilities and producing a biennial report on the state of cybersecurity in the Union.
Waiting for DORA
Once the final version of the text is ratified by the European Parliament and the Council, Member States will have two years from the date on which the Directive enters into force to transpose the new provisions into their national legislation. If France succeeds in having the text adopted during its presidency of the Council of the EU, it would then become applicable in 2024.
Essential and important entities will then have to juggle the different regulations that apply to them and sometimes face certain inconsistencies. For example, the GDPR requires notification of incidents within 72 hours compared to only 24 hours for NIS 2.
The NIS Directive must strike a balance with other regulations already in force or soon to be in force. Providers of electronic communications networks that come within the scope of the Directive are already subject to the European Electronic Communications Code (EECC).
Two additional texts will complete the Directive:
- The proposal of December 20 for a directive on the resilience of critical entities. This directive addresses the physical security of critical infrastructures, i.e. the prevention of non‑cyber risks (natural disasters, terrorism, etc.).
- The proposal for a regulation on digital operational resilience for the financial sector. The Digital Operational Resilience Act (DORA) is a regulation aiming to improve the resilience of firms in the financial sector to all types of threats related to information and communication technologies. It will set minimum requirements for banking, financial, and insurance professionals as well as ICT third-party service providers. We will have a chance to discuss this in more detail in a future article.
The coming months will therefore be particularly busy in terms of European regulations which will affect a greater number of businesses and government bodies. The adoption of the final text of the NIS 2 Directive should obviously be followed very closely in order to identify the new OESs. By embarking on an ongoing certification process, TheGreenBow offers critical market operators and OESs trusted VPN solutions that ensure their communications are protected in all circumstances and help them enhance their resilience capacity. Feel free to contact us if you plan to achieve compliance with access management requirements for your information system.